One of the higher-signal-level Apple mailing lists with a manageable amount of traffic is apple-cdsa, the place for discussing the world’s most popular Common Data Security Architecture deployment. There’s currently an interesting thread about code signatures, which asks the important question: how do I make use of code signatures?
Well, actually, it’s not so much about how I can use code signatures, but how the subset of Clapham Omnibus riders who own Macs (a very small subset, as the combination of overheating batteries in the old G4 PowerBooks and combustible bendy-busses means they don’t stay around very long) can use code signatures. Unfortunately, the answer seems to currently be “not by much”, with little impression of that changing. The code signing process and capability is actually pretty damned cool, and a nice security feature which I’ll be talking about at MacDev 09. It’s used to good effect in the iPhone, where it and FairPlay DRM are part of that platform’s locked-down execution environment.
The only problem is, there’s not much a user can do with it. It’s pretty hard to find out who signed a particular app, in fact the only thing you can easily do is discover that the same entity signed two versions of the same app. And that’s by lack of interface, not by any form of dialogue or confirmation. That means that when faced with the “Foobar app has changed. Are you sure you still want to allow it to [whatever]” prompt, many users will be unaware of the implications of the question. Those who are and (sensibly) want to find out why the change has occurred will quickly become frustrated. Therefore everyone’s going to click “allow”, which rather reduces the utility of the feature :-(.
Is that a problem yet? Well, I believe it is, even though there are few components yet using the code signature information in the operating system. And it’s precisely that allow-happy training which I think is the issue. By the time the user interfaces and access control capabilities of the OS have developed to the point where code signing is a more useful feature (and believe me, I think it’s quite a useful one right now), users will be in the habit of clicking ‘allow’. You are coming to a sad realisation; allow or deny?